Robert Connolly robert at
Sat Feb 5 05:08:50 PST 2005

On February 5, 2005 05:50 am, thorsten wrote:
> How about tightening the /etc Directory tree a little:
> chmod    go-rw  /etc
> chmod    go-rwx /etc/{fstab,hlfs-release,inittab,,login.*}
> chmod    go-rwx /etc/{limits}
> chmod -R go-rwx /etc/{rc.d,sysconfig,syslog-ng,iproute2}
> I am not shure if it is wise to cut down the permissions on
> dev.d hotplug hotplug.d and udev,
> comments are welcome...
> regards
> thorsten happel

The stuff in /etc is usually non-secret information, except for shadow. A 
'chmod go-x /etc' would keep everyone except root from doing 'ls' in /etc. 
But I guess normal users don't need to read the bootscripts either.

I have been thinking about doing like
'chgrp -R users /{,usr}/{bin,sbin,lib}/*' and 'chmod o-rx ...' so that only 
real users can use the programs on the system... so that the ntp, syslog, or 
restricted user can't. But this is not easy to maintain, it would need to be 
redone every time something is installed. Similar permissions could go 
in /etc. And /tmp wouldn't need to be world writtable, just group writtable.

Maybe this sort of stuff could go in a "Finishing up" section, after 
everything is installed, configured, and users are added. Likewise we should 
have info for doing a read-only / partition.


More information about the hlfs-dev mailing list